Add to collection(s) Add to saved
  1. Math
  2. Applied Mathematics

Elliptic Curve Cryptography

advertisement 
Elliptic Curve Cryptography
Aditya Babel
F090740
Universiteit Utrecht
INFOB3CRP - Cryptography
Abstract
In this paper we explore the basic features of elliptic curve cryptography (ECC) without
going into the intricate mathematical details. We develop some mathematical theory in
describing elliptic curve groups and their internal operations. Throughout this paper, we
compare ECC to other asymmetric encryption schemes such as RSA and ELGamal and,
in doing so, hope to convince the reader that, despite its somewhat uninviting and
complicated look, ECC is indeed a reliable cryptographic scheme that will be important
in the near future (with even the potential to replace RSA or ELGamal as the de facto
asymmetric encryption scheme).
Introduction: The prominence of asymmetric cryptography in today’s world
The emergence of asymmetric cryptography over the recent decades has opened a wide
range of applications for both commercial and government use. The importance of this
form of cryptography cannot be understated because several current security schemes
will be rendered much less useful/efficient if we were to stick to symmetric cryptographic
protocols like DES or AES.
One of the big problems in symmetric cryptographic systems is the distribution of the
secret key. While symmetric systems can be reasonably strong themselves and are often
easier to understand to a novice in computer security, one question that is often posed is
if two parties wanted to communicate securely how will they exchange their secret key
required for encryption? This age-old problem does not have too many solutions, and
often the parties are resigned to agreeing on the key beforehand. This is fraught with
danger especially if the information is highly valuable and much-sought-after by some
third party. Also, this tends to become very difficult to process in the modern world with
millions of users trying to connect with each other securely. In a large network of N
communicating entities, if it is fully meshed, maintaining unique symmetric keys for each
communicating pair of entities would require the management of (N 2-1)/2 keys. Using
asymmetric cryptography, this quantity can be reduced to N key pairs. In a group of
1,000 users, it's the difference between managing 1,000 key pairs or 499,500 keys.
The key underlying idea behind asymmetric cryptography is the use of public keys and
private keys with the difficulty of obtaining the private key from the public key. Looking
at this form of cryptography more closely, we see that asymmetric cryptography tends to
be based on a mathematical function, so to speak, whose forward step is relatively easy to
perform whereas the inverse step is far, far more computationally intensive. In fact, one
of the greatest triumphs of most asymmetric cryptographic systems is that as we increase
the key size the forward step of the mathematical function’s difficulty seems to increase
slowly, where, on the other hand, the inverse step’s difficulty increases in an exponential
manner. This is important because this renders that even though there is a rapid increase
of computational power over time, computers simply cannot cope with this form of
cryptography. Even if we were to get a computer that is 20 times more powerful than the
most powerful computer available today it would not be able to crack RSA completely
since we could just increase the size of the primes in question to create a much harder
problem. In this way we can be sure of security: all we have to do is to take Moore’s Law
(that due to technological advances an average computer’s speed doubles every fixed
amount of time, approximately 2 years) into account and use keys large enough so that
we will not face the necessity to change them for the required amount of time.
So it is clear that asymmetric cryptography is absolutely necessary in today’s active
world. But which of the many kinds of asymmetric cryptography must we use? Is there
any form of asymmetric cryptography that is better than another? Why bother with
Elliptic Curve Cryptography, which is one of the newer forms of asymmetric
cryptography, when one could stick to more standard forms of encryption such as RSA?
It is natural to begin with a quick survey of some of the more prominent asymmetric
cryptographic schemes.
Different asymmetric cryptographic systems
Several forms of asymmetric cryptographic schemes have been invented by
mathematicians and computer scientists over the past years such as RSA, the DiffieHellman key exchange, and its close neighbor ELGamal. All these systems, as stated
before, use a one-way mathematical function to enable security. The word “one-way” is
used because whilst the inverse operation is possible it is definitely not feasible as the
problem’s size increases.
In RSA, the intractability of integer factorization is exploited. Rivest, Shamir, and
Adleman were able to notice that while multiplying two primes is very easy to do (even if
they are very large), factorizing them to their constituent factors has no efficient
algorithm. The best we can do is a “sub-exponential” attack to find these elusive prime
factors from the larger composite number.
Both the Diffie-Hellman key exchange and ELGamal use the difficulty of solving the
discrete logarithm problem effectively to create a simple key exchange scheme and a way
to encrypt messages securely. It is worthwhile, in this paper, to describe these systems in
more detail. We work in a finite group of prime order (hence it is cyclic and every nonidentity element is a generator). Suppose two parties, Alice and Bob, wish to
communicate securely. To start things off, they decide openly on the group, Zp, to use,
and an element (non-identity), g, to use as the generator. Alice then proceeds to use
another integer a as her private key. She then sends the number A = ga to Bob. Bob, for
his part, also chooses his own private key, b. He then sends Alice the number B = gb.
Alice computes the secret key, s, by computing Ba and Bob does the same by computing
Ab. These two values are the same (since gab = gba). Through this simple exchange both
parties now have the secret key s. With this secret key Alice and Bob can encrypt
messages that they wish to send to each other. A third party, the eavesdropper Eve,
knows the values of p, g, A, and B. But since the discrete log problem (determining a
from p, g, and A) is considered hard, Eve cannot do anything to find the value of s.
Elliptic Curve Cryptography is very similar to the Diffie-Hellman key exchange system
and ELGamal in that it also relies on the difficulty of the discrete log, but it does the
same under a different underlying group. To understand Elliptic Curve Cryptography it is
essential to first understand elliptic curves and their group structure.
Elliptic Curve Groups
Elliptic Curves are mathematical objects that have been subject to much scrutiny by top
mathematicians over the past 150 years. They have many important, elegant, and
delightful properties and many research papers have been written solely exploring the
various characteristics of these objects. An important feature of these curves is that their
points can be interpreted as part of a mathematical group. But before describing their
group structure which is so important to cryptography, we first define what an elliptic
curve actually is. It is natural to explore the case for real numbers first. An elliptic curve
over the field of real numbers is the set of points that satisfy an elliptic curve equation of
the form:
y2 = x3 + ax + b, with all parameters involved being real numbers
Every choice of a and b produces a different curve. For example, with a = -4 and b = 0.67
we have the following curve drawn on the next page:
We can create a group out of an elliptic curve if it does not contain any repeated zeros, or
equivalently, if 4a3+27b2, the determinant of the curve, is not zero. We include a special
point for an imaginary “point at infinity” called O. This is the identity of the group. The
other elements of the group are the points on the curve. Since the graph is symmetric
around the x-axis, a point P = (x, y) has its inverse defined as -P = (x, -y). Given two
points P and Q on the curve, we add them by drawing a line through them. This line will
either intersect the curve at exactly one point, R, or no points. It can be proven that if it
intersects no other point then Q = -P and the line is a vertical line through P. Otherwise,
we employ the addition relation P + Q + R = O or P + Q = -R. This addition operation
forms a group (the verification that this is indeed a group is standard and can be found in
any mathematical text on basic algebraic geometry).
To add a point P to itself, we simply draw a tangent line at the point P and see what point
it intersects on the curve. It is not a difficult to determine a formula for the addition of
two points P and Q (they are assumed to be distinct here with Q not equal to -P):
Let P = (xP,yP), Q = (xQ,yQ), M = (yP - yQ) / (xP - xQ), and R = P + Q
Then xR = M2 - xP - xQ and yR = -yP + M(xP - xR)
Note that M is the slope of the line through P and Q.
We now turn to more relevant cases, where the underlying field is not the real numbers
but of finite order. Calculations over real numbers are infeasible because they are tougher
to do and cause a lot of round-off errors. Hence in cryptography finite fields are more
often in use and this case is no different.
The first case we consider is the field Fp for a prime p. We put one assumption on the
field at first: that it is not of characteristic 2. The same basic ideas from the real case
follow through for finite fields. For Fp we consider the same elliptic curve equation
except with everything taken in modulo p. An elliptic curve equation defines a group if
there are no repeated roots or equivalently if the determinant (mod p) is not equal to 0.
The elliptic curve group for a finite field consists of the points that satisfy the elliptic
curve together with a point at infinity O, just like in the real case. For instance, consider
y2 = x3 + x in the field F23. The point (9, 5) satisfies this equation as can be easily checked
by substitution and then taking (mod 23) on both sides. In fact, exactly 23 points satisfy
the equation:
Although these points may seem random at first look, they are actually symmetric about
the line y = 11.5. A point P = (x, y) has inverse –P = (x, -y (mod p)). Since it seems
difficult at first sight to “connect points” in finite fields, mathematicians define the sum
of points by using simple formulas (assuming Q is not P or -P):
Let P = (xP,yP), Q = (xQ,yQ), M = (yP - yQ) / (xP - xQ) (mod p), and R = P + Q
Then xR = M2 - xP - xQ (mod p) and yR = -yP + M(xP - xR) (mod p)
Note that M is the slope of the line through P and Q.
A similar equation is used to double a point P:
If P = (xP,yP), 2P = R, and M = (3xP2 + a) / (2yP ) (mod p)
xR = M2 - 2xP (mod p) and yR = -yP + M(xP - xR) (mod p)
As in the case for real numbers, a group is indeed constructed using these operations.
Finally, we consider the case for when the field is of characteristic 2. This is of most
interest to us, because operations in this field are performed over bit strings which make
it easy for computers to do arithmetic in. Consider the field F2^m with 2m elements;
addition, multiplication, and division are performed either using an irreducible
polynomial or by optimal normal basis representation. An elliptic curve group over this
field is formed by choosing elements a and b from the field with the only condition being
that b is not 0. Since the field has characteristic 0, we adjust the elliptic curve equation
for binary representation:
y2 + xy = x3 + ax2 + b
The elliptic curve, as always, includes all points that satisfy the equation over the field.
The elliptic curve group for this field consists of all these satisfied points together with
the usual point at infinity, O. There are finitely many points on such an elliptic curve
which is illustrated with the following example: consider the elliptic curve equation y2 +
xy = x3 + g4x2 + 1 over the field F24. Here g = (0010) is a (multiplicative) generator of the
field and its powers are:
g0 = (0001) g1 = (0010) g2 = (0100) g3 = (1000) g4 = (0011) g5 = (0110) g6 =
(1100) g7 = (1011) g8 = (0101) g9 = (1010) g10 = (0111) g11 = (1110) g12 = (1111)
g13 = (1101) g14 = (1001) g15 = (0001)
We note that in cryptographic applications the order of the group is much larger to
prevent a simple generation of the elements by a computer (normally a field with 2 160
elements). We can compute, as in previous cases, the set of points that satisfy the elliptic
curve. Using generator notion helps to reduce notation and simplify computations. The
fifteen points that satisfy the equation are:
(1, g13) (g3, g13) (g5, g11) (g6, g14) (g9, g13) (g10, g8) (g12, g12) (1, g6) (g3,
g8) (g5, g3) (g6, g8) (g9, g10) (g10, g) (g12, 0) (0, 1)
As in the previous cases, we can determine formulas to add different points of the curve.
If Q is not P or -P, R = P+Q, and M = (yP - yQ) / (xP + xQ) then:
xR = M2 + M + xP + xQ + a and yR = M(xP + xR) + xR + yP
Or to double a point P, we have:
If R = 2P and M = xP + yP / xP
xR = M2+ M + a and yR = xP2 + (M + 1) * xR
Indeed, as always, we have P + O = P for all P.
Through these elliptic curve groups, the understanding of elliptic curve cryptography
becomes possible.
Elliptic Curve Cryptography
This form of cryptography is very akin to Diffie-Hellman and ELGamal in that the
underlying computationally infeasible mathematical problem to solve is the discrete
logarithm. Taking a point P on the curve, we choose a random large integer n. Then we
proceed to compute nP (P added to itself n times). Mathematicians have devised very fast
ways of computing this “scalar multiplication” instead of manually doing it one by one.
The discrete logarithm problem in this case asks one to return the value n after being
given the elliptic curve group in question, P, and nP. This question turns out to be much
harder than the forward process. In fact it is harder than either the DiffieHellman/ELGamal or even RSA with respect to the number of bits used. A precise
description of this “superiority” of ECC of this is considered in the next section.
So now using this varied discrete logarithm problem we are able to do exactly the same
procedures as with Diffie-Hellman (exchange keys) or with ELGamal (encrypt
messages). The same protocols may be used for the same effect.
Comparison versus other forms of cryptography
While ECC does sound elegant to many computer scientists and mathematicians it is
definitely not an easy subject to understand. Indeed, in today's modern world, where
cryptographic schemes are regularly explained to managers of giant corporations who
intend to use the technology for use within their respective companies, it is often difficult
to explain to a layman about the potential benefits of using fancy mathematical objects
like fields and elliptic curves. While this may put ECC a step behind other standard forms
of cryptography like RSA, the advantages of ECC must not be ignored.
Most types of cryptography can be made as difficult to crack as one requires; all the user
has to do is to increase the key size. The difference between two cryptographic schemes
then lies in the key size required to give the same amount of “protection”. One of the
state-of-the-art methods to decipher messages encrypted using either RSA or ELGamal is
the Index Calculus method. This turns the problem of either factorizing a number or
finding the discrete logarithm into a sub-exponential process with respect to the bit-size.
However, the key for ECC lies in the fact that this Index Calculus method only works
with groups of the form Zn and fails to apply to most elliptic curve groups. The Pollard's
rho attack on elliptic curve cryptography is one of the strongest known today. While this
attack works well on certain elliptic curve groups, it fails to give this sub-exponential
bound on other elliptic curve groups. Furthermore, it is not difficult to isolate those
groups that are easily cracked by known attacks. Because of this, much larger group sizes
are required to provide the same security for RSA or ELGamal as is illustrated in the
following table which compares RSA and ECC (ELGamal is weaker than either RSA or
ECC):
ECC
RSA
System parameters
641 bits
0 bits
Public key
161 bits
1041 bits
Private key
160 bits
2048 to 2560 bits
The above table tells us the amount of information in bits required to enforce the same
amount of security as specified and verified by the RSA Laboratories. Quite
understandably ECC requires a lot of system parameters for initialization, but for the
same amount of security as recommended by security organizations in the US, ECC
requires a much smaller bit-size. An elliptic curve group of order 2 160 can give the same
amount of security as a group of order 21024 when used with RSA. When we couple this
fact with Morse's law that computer speeds double every two years, we realize that RSA
systems may soon become more and more difficult to manage with greater and greater
group sizes needed. Using ECC this problem can be avoided without difficulty. Based on
the research trends over the past five years, it was seen that very little progress was made
toward solving the ECC discrete logarithm problem faster. This highlights the potential
of ECC in the future. Small group sizes also increase processor speeds. reduce heat
generation, and save energy in considerable amounts. Finally, ECC has helped pave the
way for several other different kinds of cryptography such as Pairing Based
Cryptography which is supposedly the “next big thing”.
Conclusion
While ECC may be relatively difficult to understand for the layman, it is nevertheless an
important technology that has great potential to prosper in the future. The challenging and
somewhat complicated nature of elliptic curve groups make it harder to crack the ECC
discrete logarithm problem. With less bits required to give the same security, ECC has
fared favorably compared to either RSA or Diffie-Hellman.
Through this paper, I hope that I have been able to communicate some of the major
aspects of ECC whilst censoring out some of the very technical mathematical details
involved.
References
- Wikipedia: Elliptic Curve Cryptography
http://en.wikipedia.org/wiki/Elliptic_curve_cryptography
- Device Forge: An Intro to Elliptic Curve Cryptography
http://www.deviceforge.com/articles/AT4234154468.html
- RSA Laboratories - Overview of Elliptic Curve Cryptosystems
http://www.rsa.com/rsalabs/node.asp?id=2013
- Steven Galbriath; Elliptic Curve Cryptography
http://www.isg.rhul.ac.uk/~sdg/ecc.html
- certicom: ECC Tutorial
http://www.certicom.com/index.php/10-introduction
- Wikipedia: Elliptic Curves
http://en.wikipedia.org/wiki/Elliptic_curve
- Wikipedia: Diffie-Hellman key exchange
http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
- Wikipedia: Elgamal encryption
http://en.wikipedia.org/wiki/ElGamal_encryption
Related documents
SSL(Secure Sockets Layer)とは?
SSL(Secure Sockets Layer)とは?
Syllabus
Syllabus
exam2-review
exam2-review
Security
Security
Automatic low complexity face detection algorithm
Automatic low complexity face detection algorithm
ECC Presentation - byu-ecc
ECC Presentation - byu-ecc
Abstract
Abstract
Download
advertisement